Fake System Tools Spread to Japan

Late last year, we talked about how fake system diagnostic tools were becoming the next step in the evolution of FAKEAV malware. These variants started to affect Japanese users as well.

Fake system diagnostic tools such as this variant named System Defragmenter were first discovered in October 2010. These tools very frequently change their names. At present, we are aware of at least 30 different names/aliases that these tools use. Cybercriminals may believe that changing their products’ names makes detecting and removing these much more difficult.

None of this should be taken to mean that conventional fake antivirus attacks have gone away, however. Last week, a very high-profile attack involving a rogue antivirus detected by Trend Micro as TROJ_FAKEAV.SMTV hit Twitter. Many users fell prey to this when they clicked links that used the goo.gl URL shortener to lead to this FAKEAV variant’s download.

Attacks involving fake diagnostic tools are similar to traditional FAKEAV attacks. A fake tool appears to function like a real system diagnosis tool though its supposed diagnostic functions never work. Once users’ PCs are infected by such a tool, these repeatedly displayed fake warnings saying that the system is suffering from hard disk problems.

Inexperienced users may worry and panic over these problems. They may end up paying for additional “tools” and giving cybercriminals their personal information such as email addresses and credit card numbers. Like FAKEAV, these fake diagnosis tools will cause many problems for users.

Infection Vectors

Fake diagnostic tools may arrive via several different infection vectors:

Users visit malicious sites that are riddled with exploits, which silently install malicious files in the background.

The tactics cybercriminals use to distribute fake diagnostic tools are broadly similar to those used for FAKEAV malware. Cybercriminals may lead users to their own sites by using Black Hat Search Engine Optimization (SEO) poisoning or to compromised legitimate sites. Cases where these fake tools are installed without the users’ knowledge may lead them to think the fake tools are actually legitimate programs, allowing the attacks to succeed.

System Defragmenter is detected as TROJ_FAKEAL.GG. While the sites that distribute it are now inaccessible, similar attacks did not stop from being launched, albeit using constantly changing names and sites. Understanding how these attacks are conducted will help users avoid becoming their victims.

Its installer uses the same icon as Windows Update.

Fourteen minutes after the tool is installed, it displays a fake alert in the user’s notification area.

The following gallery shows the various fake images that this malware displays:

[flashgallery rows=”1″ height=”388px” scaling=”noscale”]

Here are some of the other names the fake diagnostic tools use:

Check Disk

Defragmenter

Disk Doctor

Disk Optimizer

Disk Repair

DiskOK

EasyScan

FastDisk

GoodMemory

Hard Drive Diagnostic

HDDControl

HDDDefragmenter

HDDDiagnostic

HDDFix

HDDHelp

HDDPlus

HDDLow

HDDRecovery

HDDRepair

HDDRescue

HDDTools

MemoryFixer

MyDisk

QuickDefrag

Scan Disk

Scanner

Smart HDD

Support Tool 2011

System Degragmenter

Ultra Defragger

Win Defrag

Win Defragmenter

Win Scanner

Solutions and Workarounds

Trend Micro free tools can clean systems that have been affected by System Defragmenter. However, users have to first go around one of this malware’s behaviors—monitoring the execution of applications—so that some security tools like HijackThis as well as files in the C:Windows and C:Program Files folder will not run and instead display the following:

Users will have to terminate the malware process first. The procedure starts by determining the file name that malware used. To do this, follow these steps:

Right-click the shortcut (System Defragmenter) on the desktop and select Properties.

Check and note the file name, which is usually made up of random characters. In the following screenshot, the file name used was 1181500.exe.

After taking note of the file name, open Task Manager by pressing Ctrl+Alt+Delete and use it to terminate the fake tool’s process.

Using HijackThis, take note of any or all of the registry entries that the malware added. HijackThis can then remove these entries to stop the malware from running whenever the system starts. (The suspicious entries have been enclosed in a red box.)

Our online scanner HouseCall can then be used to scan and remove the malware from the system.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

Security Predictions for 2020

Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.Read our security predictions for 2020.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.